functional safety assessment of an automated lane ......• traffic jam assist • distronic plus. 2...
TRANSCRIPT
-
tgrd
August 2018 DOT HS 812 573
Functional Safety Assessment of an Automated Lane Centering System
Appendices
Appendix A: Current Safety Issues for the ALC System ....................................................... A-1
Appendix B: STPA Causal Factor Guidewords and Guidewords Subcategories ................... B-1
Appendix C: HAZOP Study Results ...................................................................................... C-1
Appendix D: Unsafe Control Action (UCA) Assessment Tables ........................................... D-1
Appendix E: STPA Step 1: UCAs and Mapping to Hazards .................................................. E-1
Appendix F: Operational Situations ........................................................................................ F-1
Appendix G: ASIL Assessment .............................................................................................. G-1
Appendix H: FMEA ................................................................................................................ H-1
Appendix I: STPA Step 2: Causal Factors .............................................................................. I-1
Appendix J: Three-Level Monitoring Strategy....................................................................... J-1
Appendix K: Diagnostic Trouble Codes Relevant to the ALC System .................................. K-1
-
A-1
CURRENT SAFETY ISSUES FOR THE ALC SYSTEM
This appendix summarizes the findings from this study’s review of current safety issues related to the ALC system. Since very few ALC systems are currently on the market, the review of current safety issues also included LKA systems with the assumption that ALC and LKA systems have similar architectural elements.
This study examined crash databases, and NHTSA’s vehicle recall and VOQ databases to identify potential safety concerns related to the ALC system. However, crash data available in the General Estimates System and Fatality Analysis Reporting System do not include coding to identify crashes potentially attributable to LKA or ALC system failures.
NHTSA Motor Vehicle Recall Campaigns
This study reviewed motor vehicle recall campaigns1 for model year 2002 through 2015 light vehicles. This review did not identify any recall campaigns directly attributable to LKA or ALC systems. However, recalls due to failures in the foundational steering or braking systems that implement LKA or ALC commands could potentially affect safe operation of the LKA or ALC system.
NHTSA Vehicle Owner Questionnaires
Vehicle owners can express their safety concerns to NHTSA via the vehicle owner questionnaire mechanism. NHTSA’s Defects Assessment Division screens more than 30,000 VOQs annually to inform their decisions on issues requiring further investigation [5].
Volpe reviewed 12 VOQs related to LKA or ALC systems. These VOQs were identified by searching the VOQ database for the following key words or phrases.
• Lane Keep• Lane Keeping• Lane Center• Lane Centering• Traffic Jam Assist• Distronic Plus2• Lane Departure Prevention• Lane Control• Lane Assist
1 Either NHTSA or the manufacturers may issue recalls due to vehicle or equipment defects once it is determined that a safety defect exists in a motor vehicle or items of motor vehicle equipment that poses a risk to safety [5]. CFR Title 49 Volume 7 Part 573.6 [6] requires the manufacturer to furnish a report to NHTSA for each defect once a recall is warranted. 2 Distronic Plus (with Steering Assist) is a trade names for one ALC type of system.
-
A-2
The data obtained from the VOQs was categorized based on the STPA UCA guide phrases described in Section 2.2.3 of this report. Error! Reference source not found. shows the breakdown of the VOQs by UCA category.
Figure A-1: Unsafe Control Action Breakdown of LKA or ALC System VOQs
Review of the LKA or ALC related VOQs indicated that highest number of owner complaints referenced cases where the LKA or ALC system was not available or did not intervene when needed.
Each recall was further categorized based on the potential CFs contributing to the recall. The CF categories used for the analysis are presented in Appendix B. Figure A-2 shows the breakdown of VOQs by CF category.
-
A-3
Figure A-2: Causal Factor Breakdown of LKA or ALC System VOQs
Of the VOQs that provided a cause, most indicated that a software algorithm error in the LKA or ALC control module led to the malfunction of the LKA or ALC system. Note that VOQs are often submitted by vehicle owners based on perceived vehicle behavior and the vehicle owners submitting VOQs may not have technical expertise on how the system operates.
-
B-1
STPA CAUSAL FACTOR GUIDEWORDS AND GUIDEWORDS SUBCATEGORIES
Figure B-1. Causal Factor Categories for Automotive Electronic Control Systems .................. B-2 Table B-1. Causal Factor Sub-categories for Automotive Electronic Control Systems ..............B-3
-
B-2
Figure B-1. Causal Factor Categories for Automotive Electronic Control Systems
-
B-3
Table B-1. Causal Factor Sub-categories for Automotive Electronic Control Systems The numbering in the table below corresponds to that in Figure B-1.
\Components
Controller
(6) Controller hardware faulty, change over time
• Internal hardware failure • Overheating due to increased resistance in a subcomponent or internal
shorting • Over temperature due to faulty cooling system • Degradation over time • Faulty memory storage or retrieval • Faulty internal timing clock • Faulty signal conditioning or converting (e.g., analog-to-digital converter,
signal filters) • Unused circuits in the controller
(7) Software error (inadequate control algorithm, flaws in creation, modification, or adaptation)
• Inadequate control algorithm • Flaws in software code creation
(8) Process model or calibration incomplete or incorrect
• Sensor or actuator calibration, including degradation characteristics • Model of the controlled process, including its degradation characteristics
(2) External control input or information wrong or missing • Timing-related input is incorrect or missing • Spurious input due to shorting or other electrical fault • Corrupted signal • Malicious Intruder
(3) Power supply faulty (high, low, disturbance)
• Loss of 12-volt power • Power supply faulty (high, low, disturbance)
(2) External disturbances
• EMI or ESD • Single-event effects (e.g., cosmic rays, protons) • Vibration or shock impact • Manufacturing defects and assembly problems • Extreme external temperature or thermal cycling • Moisture, corrosion, or contamination
-
B-4
• Organic growth • Physical interference (e.g., chafing)
(4) Hazardous interaction with other components in the rest of the vehicle • EMI or ESD • Vibration or shock impact • Physical interference (e.g., chafing) • Moisture, corrosion, or contamination • Excessive heat from other components • Electrical arcing from neighboring components or exposed terminals • Corona effects from high voltage components
Sensor
(9) Sensor inadequate operation, change over time • Internal hardware failure • Overheating due to increased resistance in a subcomponent or internal
shorting • Degradation over time • Over temperature due to faulty cooling system • Reporting frequency too low
(3) Power supply faulty (high, low, disturbance) • Loss of 12-volt power • Reference voltage incorrect (e.g., too low, too high) • Power supply faulty (high, low, disturbance)
(2) External disturbances
• EMI or ESD • Single-event effects (e.g., cosmic rays, protons) • Vibration or shock impact • Manufacturing defects and assembly problems • Extreme external temperature or thermal cycling • Moisture, corrosion, or contamination • Organic growth • Physical interference (e.g., chafing) • Magnetic interference
(4) Hazardous interaction with other components in the rest of the vehicle
• EMI or ESD • Vibration or shock impact • Physical interference (e.g., chafing) • Moisture, corrosion, or contamination • Excessive heat from other components • Magnetic interference • Electrical arcing from neighboring components or exposed terminals
-
B-5
• Corona effects from high voltage components (15) Actuator inadequate operation, change over time
• Internal hardware failure • Degradation over time • Over temperature due to faulty cooling system • Incorrectly sized actuator • Relay failure modes, including: 1) does not energize, 2) does not de-
energize, and 3) welded contacts • Overheating due to increased resistance in a subcomponent or internal
shorting (3) Power supply faulty (high, low, disturbance)
• Loss of 12-volt power • Power supply faulty (high, low, disturbance)
(2) External disturbances
Actuator
• EMI or ESD • Single-event effects (e.g., cosmic rays, protons) • Vibration or shock impact • Manufacturing defects and assembly problems • Extreme external temperature or thermal cycling • Moisture, corrosion, or contamination • Organic growth • Physical interference (e.g., chafing) • Magnetic interference
(4) Hazardous interaction with other components in the rest of the vehicle
• EMI or ESD • Vibration or shock impact • Physical interference (e.g., chafing) • Moisture, corrosion, or contamination • Excessive heat from other components • Magnetic interference • Electrical arcing from neighboring components or exposed terminals • Corona effects from high voltage components • Unable to meet demands from multiple components (e.g., inadequate
torque)
-
B-6
Controlled Process
(20) Controlled component failure, change over time
• Internal hardware failure • Degradation over time
(3) Power supply faulty (high, low, disturbance) • Loss of 12-volt power • Power supply faulty (high, low, disturbance)
Controlled Process
(2) External disturbances
• EMI or ESD • Single-event effects (e.g., cosmic rays, protons) • Vibration or shock impact • Manufacturing defects and assembly problems • Extreme external temperature or thermal cycling • Moisture, corrosion, or contamination • Organic growth • Physical interference (e.g., chafing) • Magnetic interference
(4) Hazardous interaction with other components in the rest of the vehicle • EMI or ESD • Vibration or shock impact • Physical interference (e.g., chafing) • Moisture, corrosion, or contamination • Excessive heat from other components • Magnetic interference • Electrical arcing from neighboring components or exposed terminals • Corona effects from high voltage components • Unable to meet demands from multiple components (e.g., inadequate
torque) (22) Output of controlled process contributing to system hazard
Process Input Supplier to Controlled Process
(23) Process input supplier inadequate operation, change over time
• Process input supplier inadequate operation, change over time • Electrical noise other than EMI or ESD
(3) Power supply faulty (high, low, disturbance) • Loss of 12-volt power • Power supply faulty (high, low, disturbance)
(2) External disturbances
-
B-7
• EMI or ESD • Single-event effects (e.g., cosmic rays, protons) • Vibration or shock impact • Manufacturing defects and assembly problems • Extreme external temperature or thermal cycling • Moisture, corrosion, or contamination • Organic growth • Physical interference (e.g., chafing) • Magnetic interference
(4) Hazardous interaction with other components in the rest of the vehicle
• EMI or ESD • Vibration or shock impact • Physical interference (e.g., chafing) • Moisture, corrosion, or contamination • Excessive heat from other components • Magnetic interference • Electrical arcing from neighboring components or exposed terminals • Corona effects from high voltage components • Unable to meet demands from multiple components (e.g., inadequate
torque)
Connections
Sensor to Controller, Controller to Actuator
(10) and (16) Hardware open, short, missing, intermittent faulty
• Connection is intermittent • Connection is open, short to ground, short to battery, or short to other
wires in harness • Electrical noise other than EMI or ESD • Connector contact resistance is too high • Connector shorting between neighboring pins • Connector resistive drift between neighboring pins
(11) and (17) Communication bus error • Bus overload or bus error • Signal priority too low • Failure of the message generator, transmitter, or receiver • Malicious intruder
(24) and (25) Incorrect connection
• Incorrect wiring connection • Incorrect pin assignment
-
B-8
(2) External disturbances • EMI or ESD • Single-event effects (e.g., cosmic rays, protons) • Vibration or shock impact • Manufacturing defects and assembly problems • Extreme external temperature or thermal cycling • Unused connection terminals affected by moisture, corrosion, or
contamination • Organic growth • Physical interference (e.g., chafing) • Active connection terminals affected by moisture, corrosion, or
contamination
(4) Hazardous interaction with other components in the rest of the vehicle
• EMI or ESD • Vibration or shock impact • Physical interference (e.g., chafing) • Unused connection terminals affected by moisture, corrosion, or
contamination • Excessive heat from other components • Electrical arcing from neighboring components or exposed terminals • Corona effects from high voltage components • Active connection terminals affected by moisture, corrosion, or
contamination • Mechanical connections affected by moisture, corrosion, or
contamination (18) Actuation delivered incorrectly or inadequately: Hardware faulty
(19) Actuation delayed
(20) Actuator to controlled process incorrect connection
(2) External disturbances
• EMI or ESD • Single-event effects (e.g., cosmic rays, protons) • Vibration or shock impact
-
B-9
Actuator to Controlled Process
• Manufacturing defects and assembly problems • Extreme external temperature or thermal cycling • Unused connection terminals affected by moisture, corrosion, or
contamination • Organic growth • Physical interference (e.g., chafing) • Active connection terminals affected by moisture, corrosion, or
contamination • Mechanical connections affected by moisture, corrosion, or
contamination (4) Hazardous interaction with other components in the rest of the vehicle
• EMI or ESD • Vibration or shock impact • Physical interference (e.g., chafing) • Unused connection terminals affected by moisture, corrosion, or
contamination • Excessive heat from other components • Electrical arcing from neighboring components or exposed terminals • Corona effects from high voltage components • Active connection terminals affected by moisture, corrosion, or
contamination • Mechanical connections affected by moisture, corrosion, or
contamination
(12) Sensor measurement incorrect or missing
Controlled Process to Sensor
Sensor incorrectly aligned/positioned (13) Sensor measurement inaccurate
Sensor incorrectly aligned/positioned (14) Sensor measurement delay
Sensor incorrectly aligned/positioned (2) External disturbances
• EMI or ESD • Single-event effects (e.g., cosmic rays, protons) • Vibration or shock impact • Manufacturing defects and assembly problems • Extreme external temperature or thermal cycling • Unused connection terminals affected by moisture, corrosion, or
contamination
-
B-10
• Organic growth • Physical interference (e.g., chafing) • Active connection terminals affected by moisture, corrosion, or
contamination • Mechanical connections affected by moisture, corrosion, or
contamination (4) Hazardous interaction with other components in the rest of the vehicle
• EMI or ESD • Vibration or shock impact • Physical interference (e.g., chafing) • Unused connection terminals affected by moisture, corrosion, or
contamination • Excessive heat from other components • Electrical arcing from neighboring components or exposed terminals • Corona effects from high voltage components • Active connection terminals affected by moisture, corrosion, or
contamination • Mechanical connections affected by moisture, corrosion, or
contamination Other (5) Conflicting control action
Controller to Controlled Process
Process Input (21) Input to controlled process missing or wrong
Supplier to Controlled Process
-
C-1
HAZOP STUDY RESULTS
Table C-1. Function 1: Activate ALC system per driver’s input ................................................ C-2 Table C-2. Function 2: Deactivate ALC system per driver’s input ............................................ C-2 Table C-3. Function 3: Monitor for required level of operator engagement .............................. C-2 Table C-4. Function 4: Deactivate if operator engagement is inadequate .................................. C-3 Table C-5. Function 5: Alert operator when disengaging or faulted .......................................... C-3 Table C-6. Function 6: Detect roadway environment using sensor array ................................... C-4 Table C-7. Function 7: Detect individual sensor failure ............................................................. C-5 Table C-8. Function 8: Detect left lane/roadway markings ........................................................ C-6 Table C-9. Function 9: Detect right lane/roadway markings ...................................................... C-6 Table C-10. Function 10: Determine lane/roadway width (roadway boundary) ........................ C-7 Table C-11. Function 11: Detect other vehicles on the roadway (e.g., lead vehicle) ................. C-8 Table C-12. Function 12: Detect roadway signage (e.g., curve ahead, arrows, etc.) ................. C-9 Table C-13. Function 13: Detect roadway references (e.g., guardrail, shoulders, etc.) .............. C-9 Table C-14. Function 14: Determine roadway type.................................................................. C-10 Table C-15. Function 15: Determine vehicle position in the lane ............................................ C-10 Table C-16. Function 16: Calculate torque/yaw required to return vehicle to reference path .. C-11 Table C-17. Function 17: Calculate torque/yaw limit (limit magnitude or torque overlay) ..... C-11 Table C-18. Function 18: Deactivate when perception is not adequate ................................... C-12 Table C-19. Function 19: Request torque/yaw from foundational steering or braking system C-12 Table C-20. Function 20: Communicates with other vehicle features/functions...................... C-13 Table C-21. Function 21: Communicates with internal subsystems......................................... C-13 Table C-22. Function 22: Store data ......................................................................................... C-14 Table C-23. Function 23: Provide diagnostics .......................................................................... C-14 Table C-24. Function 24: Provide fault detection and mitigation ............................................ C-14
-
C-2
Table C-1. Function 1: Activate ALC system per driver’s input
I.D. Malfunction Potential Vehicle Level Hazard F1-1 Does not activate ALC system Not hazardous F1-2 Intermittently activates ALC system Insufficient Lateral Adjustment That Results in
Lane/Roadway Departure With ALC Engaged Excessive Lateral Adjustment That Results in Lane/Roadway Departure With ALC Engaged
F1-3 Activates ALC system without driver knowledge
Improper Transition of Control Back to Driver
F1-4 Stuck in deactivated mode Insufficient Lateral Adjustment That Results in Lane/Roadway Departure With ALC Engaged
Table C-2. Function 2: Deactivate ALC system per driver’s input
I.D. Malfunction Potential Vehicle Level Hazard F2-1 Does not deactivate ALC system Improper Transition of Control Back to Driver F2-2 Intermittently deactivates ALC system Not hazardous F2-3 Deactivates ALC system without driver's
input Insufficient Lateral Adjustment That Results in Lane/Roadway Departure With ALC Engaged Unintended Loss of ALC
F2-4 Stuck in activated mode Not hazardous
Table C-3. Function 3: Monitor for required level of operator engagement
I.D. Malfunction Potential Vehicle Level Hazard F3-1 Does not monitor the driver's attention Improper Transition of Control Back to Driver F3-2 Monitors the driver's attention with greater
frequency than intended Not hazardous
F3-3 Monitors the driver's attention with less frequency than intended
Improper Transition of Control Back to Driver
F3-4 Intermittently monitors the driver's attention Improper Transition of Control Back to Driver F3-5 Monitors the driver's attention when ALC
system is not activated Not Hazardous
F3-6 Reports a constant driver attentiveness state Improper Transition of Control Back to Driver
-
C-3
Table C-4. Function 4: Deactivate if operator engagement is inadequate
I.D. Malfunction Potential Vehicle Level Hazard F4-1 Does not deactivate if driver engagement is
inadequate, but alerts to the Operator Alert are correct
Not Hazardous
F4-2 Intermittently deactivates Insufficient Lateral Adjustment That Results in Lane/Roadway Departure With ALC Engaged
F4-3 Deactivates while driver is engaged in driving task
Unintended Loss of ALC
F4-4 Deactivates while driver is NOT engaged in driving task
Insufficient Lateral Adjustment That Results in Lane/Roadway Departure With ALC Engaged Improper Transition of Control Back to Driver
F4-5 Stuck in deactivated mode Not Hazardous F4-6 Stuck in activated mode Not Hazardous
Table C-5. Function 5: Alert operator when disengaging or faulted
I.D. Malfunction Potential Vehicle Level Hazard F5-1 Does not alert operator when disengaging or
faulted Improper Transition of Control Back to Driver: Excessive Lateral Adjustment That Results in Lane/Roadway Departure With ALC Engaged Insufficient Lateral Adjustment That Results in Lane/Roadway Departure With ALC Engaged
F5-2 Alerts operator with more lead time than needed to resume control
Not Hazardous
F5-3 Alerts operator with less lead time or less urgency than needed to resume control
Improper Transition of Control Back to Driver
F5-4 Alerts to operator are not sufficient for driver to notice (soft chime, poor visual display)
Improper Transition of Control Back to Driver: Excessive Lateral Adjustment That Results in Lane/Roadway Departure With ALC Engaged Insufficient Lateral Adjustment That Results in Lane/Roadway Departure With ALC Engaged
F5-5 Intermittently alerts operator when disengaging or faulted
Improper Transition of Control Back to Driver: Excessive Lateral Adjustment That Results in Lane/Roadway Departure With ALC Engaged Insufficient Lateral Adjustment That Results in Lane/Roadway Departure With ALC Engaged
F5-6 Alerts operator when system is not disengaging or faulted
Improper Transition of Control Back to Driver
F5-7 Alert is stuck in the "on" position Not Hazardous F5-8 Alert is stuck in the "off" position Improper Transition of Control Back to Driver:
Excessive Lateral Adjustment That Results in Lane/Roadway Departure With ALC Engaged Insufficient Lateral Adjustment That Results in Lane/Roadway Departure With ALC Engaged
-
C-4
Table C-6. Function 6: Detect roadway environment using sensor array
I.D. Malfunction Potential Vehicle Level Hazard F6-1 Sensor does not detect the environment Insufficient Lateral Adjustment That Results in
Lane/Roadway Departure With ALC Engaged
F6-2 Sensor detection with greater frequency than intended
Not Hazardous
F6-3 Sensor reports with greater importance/weight than appropriate (more than it is)
Insufficient Lateral Adjustment That Results in Lane/Roadway Departure With ALC Engaged Excessive Lateral Adjustment That Results in Lane/Roadway Departure With ALC Engaged
F6-4 Sensor detection with less frequency than intended
Insufficient Lateral Adjustment That Results in Lane/Roadway Departure With ALC Engaged
F6-5 Sensor reports with less importance/weight than important (less than it is)
Insufficient Lateral Adjustment That Results in Lane/Roadway Departure With ALC Engaged Excessive Lateral Adjustment That Results in Lane/Roadway Departure With ALC Engaged
F6-6 Sensor intermittently detects roadway environment
Insufficient Lateral Adjustment That Results in Lane/Roadway Departure With ALC Engaged
F6-7 Sensor detection is reversed (e.g., camera image is mirrored)
Excessive Lateral Adjustment That Results in Lane/Roadway Departure With ALC Engaged
F6-8 Sensor detection is on opposite side of the vehicle (e.g., L/R camera channels are switched)
Excessive Lateral Adjustment That Results in Lane/Roadway Departure With ALC Engaged
F6-9 Sensor detects roadway environment when ALC is not engaged
Not Hazardous
F6-10 Sensor provides constant information as environment changes (e.g., blocked radar)
Insufficient Lateral Adjustment That Results in Lane/Roadway Departure With ALC Engaged Excessive Lateral Adjustment That Results in Lane/Roadway Departure With ALC Engaged
-
C-5
Table C-7. Function 7: Detect individual sensor failure
I.D. Malfunction Potential Vehicle Level Hazard F7-1 Does not detect an internal failure Insufficient Lateral Adjustment That Results in
Lane/Roadway Departure With ALC Engaged Excessive Lateral Adjustment That Results in Lane/Roadway Departure With ALC Engaged
F7-2 Detects more faults than actually present Insufficient Lateral Adjustment That Results in Lane/Roadway Departure With ALC Engaged
F7-3 Detects fewer faults than actually present Insufficient Lateral Adjustment That Results in Lane/Roadway Departure With ALC Engaged Excessive Lateral Adjustment That Results in Lane/Roadway Departure With ALC Engaged
F7-4 Intermittently detects faults (fault status cycles)
Insufficient Lateral Adjustment That Results in Lane/Roadway Departure With ALC Engaged Excessive Lateral Adjustment That Results in Lane/Roadway Departure With ALC Engaged
F7-5 Reports a fault when no fault is present Insufficient Lateral Adjustment That Results in Lane/Roadway Departure With ALC Engaged
F7-6 Fault status/flag is stuck Insufficient Lateral Adjustment That Results in Lane/Roadway Departure With ALC Engaged Excessive Lateral Adjustment That Results in Lane/Roadway Departure With ALC Engaged Unintended Loss of ALC
This function is a safety mechanism intended to mitigate hazards from other malfunctions. It is only shown for completeness.
-
C-6
Table C-8. Function 8: Detect left lane/roadway markings
I.D. Malfunction Potential Vehicle Level Hazard F8-1 Does not detect lane markings on the left
side of the vehicle Insufficient Lateral Adjustment That Results in Lane/Roadway Departure With ALC Engaged
F8-2 Detects more lane markings on the left side than actually present (double markings, ghost markings, etc.)
Excessive Lateral Adjustment That Results in Lane/Roadway Departure With ALC Engaged
F8-3 Detects fewer lane markings on the left side than actually present
Insufficient Lateral Adjustment That Results in Lane/Roadway Departure With ALC Engaged
F8-4 Intermittently detects lane markings on the left side of the vehicle
Insufficient Lateral Adjustment That Results in Lane/Roadway Departure With ALC Engaged
F8-5 Reverses lane marking positions (left/right) Excessive Lateral Adjustment That Results in Lane/Roadway Departure With ALC Engaged
F8-6 Detects lane markings when no markings are present
Excessive Lateral Adjustment That Results in Lane/Roadway Departure With ALC Engaged
F8-7 Does not update the lane markings as the vehicle travels
Insufficient Lateral Adjustment That Results in Lane/Roadway Departure With ALC Engaged Excessive Lateral Adjustment That Results in Lane/Roadway Departure With ALC Engaged
Table C-9. Function 9: Detect right lane/roadway markings
I.D. Malfunction Potential Vehicle Level Hazard F9-1 Does not detect lane markings on the right
side of the vehicle Insufficient Lateral Adjustment That Results in Lane/Roadway Departure With ALC Engaged
F9-2 Detects more lane markings on the right side than actually present (double markings, ghost markings, etc.)
Excessive Lateral Adjustment That Results in Lane/Roadway Departure With ALC Engaged
F9-3 Detects fewer lane markings on the right side than actually present
Insufficient Lateral Adjustment That Results in Lane/Roadway Departure With ALC Engaged
F9-4 Intermittently detects lane markings on the right side of the vehicle
Insufficient Lateral Adjustment That Results in Lane/Roadway Departure With ALC Engaged
F9-5 Reverses lane marking positions (left/right) Excessive Lateral Adjustment That Results in Lane/Roadway Departure With ALC Engaged
F9-6 Detects lane markings when no markings are present
Excessive Lateral Adjustment That Results in Lane/Roadway Departure With ALC Engaged
F9-7 Does not update the lane markings as the vehicle travels
Insufficient Lateral Adjustment That Results in Lane/Roadway Departure With ALC Engaged Excessive Lateral Adjustment That Results in Lane/Roadway Departure With ALC Engaged
-
C-7
Table C-10. Function 10: Determine lane/roadway width (roadway boundary) I.D. Malfunction Potential Vehicle Level Hazard
F10-1 Does not determine the roadway/lane width Insufficient Lateral Adjustment That Results in Lane/Roadway Departure With ALC Engaged
F10-2 Determines the roadway/lane is wider than it actually is
Insufficient Lateral Adjustment That Results in Lane/Roadway Departure With ALC Engaged Excessive Lateral Adjustment That Results in Lane/Roadway Departure With ALC Engaged
F10-3 Determines the roadway/lane is narrower than it actually is
Not Hazardous
F10-4 Intermittently determines the roadway/lane width
Insufficient Lateral Adjustment That Results in Lane/Roadway Departure With ALC Engaged
F10-5 Determines the roadway/lane width when ALC is not engaged
Not Hazardous
F10-6 Does not update the roadway/lane width as the roadway/lane width varies
Insufficient Lateral Adjustment That Results in Lane/Roadway Departure With ALC Engaged Excessive Lateral Adjustment That Results in Lane/Roadway Departure With ALC Engaged
-
C-8
Table C-11. Function 11: Detect other vehicles on the roadway (e.g., lead vehicle)
I.D. Malfunction Potential Vehicle Level Hazard F11-1 Does not detect other vehicles on the
roadway Insufficient Lateral Adjustment That Results in Lane/Roadway Departure With ALC Engaged
F11-2 Detects surrounding objects as vehicles Excessive Lateral Adjustment That Results in Lane/Roadway Departure With ALC Engaged F11-3 Only detects some types of vehicles on
roadway Insufficient Lateral Adjustment That Results in Lane/Roadway Departure With ALC Engaged
F11-4 Intermittently detects other vehicles on roadway
Insufficient Lateral Adjustment That Results in Lane/Roadway Departure With ALC Engaged
F11-5 Detects movement of other vehicles in the wrong direct (e.g., L/R reversed)
Excessive Lateral Adjustment That Results in Lane/Roadway Departure With ALC Engaged
F11-6 Detects other vehicles on the roadway when none present
Excessive Lateral Adjustment That Results in Lane/Roadway Departure With ALC Engaged
F11-7 Reports the same position for the lead vehicle even after the lead vehicle moves
Insufficient Lateral Adjustment That Results in Lane/Roadway Departure With ALC Engaged Excessive Lateral Adjustment That Results in Lane/Roadway Departure With ALC Engaged
-
C-9
Table C-12. Function 12: Detect roadway signage (curve ahead, arrows, etc.)
I.D. Malfunction Potential Vehicle Level Hazard F12-1 Does not detect roadway signage Insufficient Lateral Adjustment That Results in
Lane/Roadway Departure With ALC Engaged F12-2 Detects surrounding objects as signage Insufficient Lateral Adjustment That Results in
Lane/Roadway Departure With ALC Engaged Excessive Lateral Adjustment That Results in Lane/Roadway Departure With ALC Engaged
F12-3 Only detects some types of signs Insufficient Lateral Adjustment That Results in Lane/Roadway Departure With ALC Engaged
F12-4 Intermittently detects roadway signage Insufficient Lateral Adjustment That Results in Lane/Roadway Departure With ALC Engaged
F12-5 Roadway signage image is reversed (i.e., mirrored)
Excessive Lateral Adjustment That Results in Lane/Roadway Departure With ALC Engaged
F12-6 Detects roadway signage when not present Insufficient Lateral Adjustment That Results in Lane/Roadway Departure With ALC Engaged Excessive Lateral Adjustment That Results in Lane/Roadway Departure With ALC Engaged
F12-7 Stuck reporting the same roadway signage information even as roadway signage changes
Insufficient Lateral Adjustment That Results in Lane/Roadway Departure With ALC Engaged Excessive Lateral Adjustment That Results in Lane/Roadway Departure With ALC Engaged
Table C-13. Function 13: Detect roadway references (guardrail, shoulders, etc.)
I.D. Malfunction Potential Vehicle Level Hazard F13-1 Does not detect roadway references Insufficient Lateral Adjustment That Results in
Lane/Roadway Departure With ALC Engaged F13-2 Incorrectly detects surrounding objects as
roadway references Insufficient Lateral Adjustment That Results in Lane/Roadway Departure With ALC Engaged Excessive Lateral Adjustment That Results in Lane/Roadway Departure With ALC Engaged
F13-3 Does not detect all types of roadway references
Insufficient Lateral Adjustment That Results in Lane/Roadway Departure With ALC Engaged
F13-4 Intermittently detects roadway references Insufficient Lateral Adjustment That Results in Lane/Roadway Departure With ALC Engaged
F13-5 Roadway references detected on opposite side of the vehicle
Excessive Lateral Adjustment That Results in Lane/Roadway Departure With ALC Engaged
F13-6 Detects roadway references when not present Insufficient Lateral Adjustment That Results in Lane/Roadway Departure With ALC Engaged Excessive Lateral Adjustment That Results in Lane/Roadway Departure With ALC Engaged
F13-7 Stuck reporting the same roadway references even as surrounding environment changes
Insufficient Lateral Adjustment That Results in Lane/Roadway Departure With ALC Engaged Excessive Lateral Adjustment That Results in Lane/Roadway Departure With ALC Engaged
-
C-10
Table C-14. Function 14: Determine roadway type
I.D. Malfunction Potential Vehicle Level Hazard F14-1 Does not determine roadway type Insufficient Lateral Adjustment That Results in
Lane/Roadway Departure With ALC Engaged Excessive Lateral Adjustment That Results in Lane/Roadway Departure With ALC Engaged
F14-2 Intermittently determines the roadway type Insufficient Lateral Adjustment That Results in Lane/Roadway Departure With ALC Engaged Excessive Lateral Adjustment That Results in Lane/Roadway Departure With ALC Engaged
F14-3 Determines a roadway type with more steering authority
Not Hazardous
F14-4 Determines a roadway type with less steering authority
Insufficient Lateral Adjustment That Results in Lane/Roadway Departure With ALC Engaged
F14-5 Determines roadway type when ALC is not engaged
Not Hazardous
F14-6 Always reports the same roadway type Insufficient Lateral Adjustment That Results in Lane/Roadway Departure With ALC Engaged Excessive Lateral Adjustment That Results in Lane/Roadway Departure With ALC Engaged
Table C-15. Function 15: Determine vehicle position in the lane
I.D. Malfunction Potential Vehicle Level Hazard F15-1
Does not determine vehicle's position in the lane
Insufficient Lateral Adjustment That Results in Lane/Roadway Departure With ALC Engaged Excessive Lateral Adjustment That Results in Lane/Roadway Departure With ALC Engaged
F15-2 Determines the vehicle is closer to the lane boundary than actual
Excessive Lateral Adjustment That Results in Lane/Roadway Departure With ALC Engaged
F15-3 Determines the vehicle is further from the lane boundary than actual
Insufficient Lateral Adjustment That Results in Lane/Roadway Departure With ALC Engaged Excessive Lateral Adjustment That Results in Lane/Roadway Departure With ALC Engaged
F15-4 Intermittently determines the vehicle's position in the lane
Insufficient Lateral Adjustment That Results in Lane/Roadway Departure With ALC Engaged Excessive Lateral Adjustment That Results in Lane/Roadway Departure With ALC Engaged
F15-5 Determines the vehicle is on the opposite side of the lane (e.g., L/R reversed)
Excessive Lateral Adjustment That Results in Lane/Roadway Departure With ALC Engaged
F15-6 Determines the vehicle position in the lane when ALC is not engaged Not Hazardous
F15-7 Reports the vehicle is at a constant lane position
Insufficient Lateral Adjustment That Results in Lane/Roadway Departure With ALC Engaged Excessive Lateral Adjustment That Results in Lane/Roadway Departure With ALC Engaged
-
C-11
Table C-16. Function 16: Calculate torque/yaw required to return vehicle to reference path
I.D. Malfunction Potential Vehicle Level Hazard F16-1 Does not calculate the required torque/yaw to
return vehicle to reference path Insufficient Lateral Adjustment That Results in Lane/Roadway Departure With ALC Engaged
F16-2 Calculates more torque/yaw than necessary to return vehicle to reference path
Excessive Lateral Adjustment That Results in Lane/Roadway Departure With ALC Engaged
F16-3 Calculates less torque/yaw than necessary to return vehicle to reference path
Insufficient Lateral Adjustment That Results in Lane/Roadway Departure With ALC Engaged
F16-4 Intermittently calculates the required torque/yaw to return vehicle to reference path
Insufficient Lateral Adjustment That Results in Lane/Roadway Departure With ALC Engaged Excessive Lateral Adjustment That Results in Lane/Roadway Departure With ALC Engaged
F16-5 Calculates torque/yaw, but in the reversed direction (e.g., CW instead of CCW)
Excessive Lateral Adjustment That Results in Lane/Roadway Departure With ALC Engaged
F16-6 Calculates a required torque/yaw when the vehicle is already on the reference path
Excessive Lateral Adjustment That Results in Lane/Roadway Departure With ALC Engaged
F16-7 Calculates a constant torque/yaw value Insufficient Lateral Adjustment That Results in Lane/Roadway Departure With ALC Engaged Excessive Lateral Adjustment That Results in Lane/Roadway Departure With ALC Engaged
Table C-17. Function 17: Calculate torque/yaw limit (limit magnitude or torque overlay)
I.D. Malfunction Potential Vehicle Level Hazard F17-1 Does not calculate the torque/yaw limit Excessive Lateral Adjustment That Results in Lane/Roadway Departure With ALC Engaged F17-2 Calculates a higher torque/yaw limit than
appropriate for operating conditions Excessive Lateral Adjustment That Results in Lane/Roadway Departure With ALC Engaged
F17-3 Calculates a lower torque/yaw limit than appropriate for operating conditions
Insufficient Lateral Adjustment That Results in Lane/Roadway Departure With ALC Engaged
F17-4
Intermittently calculates the torque/yaw limit
Insufficient Lateral Adjustment That Results in Lane/Roadway Departure With ALC Engaged Excessive Lateral Adjustment That Results in Lane/Roadway Departure With ALC Engaged
F17-5 Calculates the torque/yaw limit in the wrong direction (e.g., minimum torque/yaw value instead of maximum torque/yaw value)
Insufficient Lateral Adjustment That Results in Lane/Roadway Departure With ALC Engaged Excessive Lateral Adjustment That Results in Lane/Roadway Departure With ALC Engaged
F17-6 Calculates a torque/yaw limit when full torque authority is needed
Insufficient Lateral Adjustment That Results in Lane/Roadway Departure With ALC Engaged
F17-7 Limits torque/yaw at a constant value regardless of operating conditions
Insufficient Lateral Adjustment That Results in Lane/Roadway Departure With ALC Engaged Excessive Lateral Adjustment That Results in Lane/Roadway Departure With ALC Engaged
-
C-12
Table C-18. Function 18: Deactivate when perception is not adequate
I.D. Malfunction Potential Vehicle Level Hazard F18-1 Does not deactivate when environment
cannot be detected Insufficient Lateral Adjustment That Results in Lane/Roadway Departure With ALC Engaged Excessive Lateral Adjustment That Results in Lane/Roadway Departure With ALC Engaged
F18-2 Intermittently deactivates when environment cannot be detected
Insufficient Lateral Adjustment That Results in Lane/Roadway Departure With ALC Engaged Excessive Lateral Adjustment That Results in Lane/Roadway Departure With ALC Engaged
F18-3 Deactivates when environment is detected adequately
Insufficient Lateral Adjustment That Results in Lane/Roadway Departure With ALC Engaged Unintended Loss of ALC
F18-4 Stuck in deactivated mode Not Hazardous F18-5 Stuck in activated mode Insufficient Lateral Adjustment That Results in
Lane/Roadway Departure With ALC Engaged Excessive Lateral Adjustment That Results in Lane/Roadway Departure With ALC Engaged
Table C-19. Function 19: Request torque/yaw from foundational steering or braking system
I.D. Malfunction Potential Vehicle Level Hazard F19-1 Does not request torque/yaw from steering or
braking system Insufficient Lateral Adjustment That Results in Lane/Roadway Departure With ALC Engaged
F19-2 Requests more torque/yaw from steering or braking system than needed
Excessive Lateral Adjustment That Results in Lane/Roadway Departure With ALC Engaged
F19-3 Requests less torque than needed to change yaw rate
Insufficient Lateral Adjustment That Results in Lane/Roadway Departure With ALC Engaged
F19-4 Intermittently requests torque from steering or braking system
Insufficient Lateral Adjustment That Results in Lane/Roadway Departure With ALC Engaged
F19-5 Requests torque/yaw from steering or braking system when ALC is deactivated or suspended
Excessive Lateral Adjustment That Results in Lane/Roadway Departure With ALC Engaged
F19-6 Requests the same amount of torque/yaw from the steering or braking system
Excessive Lateral Adjustment That Results in Lane/Roadway Departure With ALC Engaged Insufficient Lateral Adjustment That Results in Lane/Roadway Departure With ALC Engaged
-
C-13
Table C-20. Function 20: Communicates with other vehicle features/functions
I.D. Malfunction Potential Vehicle Level Hazard F20-1 Does not communicate with other vehicle
features or functions ALC Interferes With Operation of Other Vehicle Features/Systems
F20-2 Communicates with other vehicle features or functions with greater frequency than needed
Not Hazardous
F20-3 Communicates with other vehicle features or functions with less frequency than needed
ALC Interferes With Operation of Other Vehicle Features/Systems
F20-4 Intermittently communicates with other vehicle features or functions
ALC Interferes With Operation of Other Vehicle Features/Systems
F20-5 Communicates with other vehicle features or functions when not needed
Not Hazardous
F20-6 Communicates the same information with other vehicle features or functions
ALC Interferes With Operation of Other Vehicle Features/Systems
Table C-21. Function 21: Communicates with internal subsystems
I.D. Malfunction Potential Vehicle Level Hazard F21-1 Does not communicate with internal
subsystems (e.g., sensor modules) Excessive Lateral Adjustment That Results in Lane/Roadway Departure With ALC Engaged Insufficient Lateral Adjustment That Results in Lane/Roadway Departure With ALC Engaged
F21-2 Communicates with internal subsystems with more frequency than needed
Not Hazardous
F21-3 Communicates with internal subsystems with less frequency than needed
Excessive Lateral Adjustment That Results in Lane/Roadway Departure With ALC Engaged Insufficient Lateral Adjustment That Results in Lane/Roadway Departure With ALC Engaged
F21-4 Intermittently communicates with internal subsystems
Excessive Lateral Adjustment That Results in Lane/Roadway Departure With ALC Engaged Insufficient Lateral Adjustment That Results in Lane/Roadway Departure With ALC Engaged
F21-5 Communicates with internal subsystems when not needed
Not Hazardous
F21-6 Communicates the same information with internal subsystems
Excessive Lateral Adjustment That Results in Lane/Roadway Departure With ALC Engaged Insufficient Lateral Adjustment That Results in Lane/Roadway Departure With ALC Engaged
-
C-14
Table C-22. Function 22: Store data
I.D. Malfunction Potential Vehicle Level Hazard F22-1 System does not store data Not Hazardous F22-2 System stores too much data Not Hazardous F22-3 System stores too little data Not Hazardous F22-4 System stores data intermittently Not Hazardous F22-5 System stores data when not needed Not Hazardous F22-6 System stores same data (stuck value) Not Hazardous
Table C-23. Function 23: Provide diagnostics
I.D. Malfunction Potential Vehicle Level Hazard F23-1 System does not perform diagnostics Not Hazardous F23-2 System provides more diagnostics than
needed Not Hazardous
F23-3 System does not provide enough diagnostics Not Hazardous F23-4 System intermittently provides diagnostics Not Hazardous F23-5 System provides diagnostics when not
needed Not Hazardous
F23-6 System diagnostics stuck at value Not Hazardous
Table C-24. Function 24: Provide fault detection and mitigation
I.D. Malfunction Potential Vehicle Level Hazard F24-1 System does not provide fault detection and
failure mitigation Not Hazardous
F24-2 Provides more fault detection and mitigation than intended
Not Hazardous
F24-3 Provides less fault detection and mitigation than intended
Not Hazardous
F24-4 Provides intermittent fault detection and mitigation than intended
Not Hazardous
F24-5 Provides fault detection and mitigation when not requested
Not Hazardous
F24-6 Fault detection and mitigation is stuck at value
Not Hazardous
This function is a safety mechanism intended to mitigate hazards from other malfunctions. It is only shown for completeness.
-
D-1
UNSAFE CONTROL ACTION (UCA) ASSESSMENT TABLES
Table D-1: Control Action: “Adjust Vehicle’s Lateral Position in the δ Direction” .................. D-2 Table D-2: Control Action: “Disengage ALC System” .............................................................. D-4 Table D-3: Control Action: “Engage ALC System”................................................................... D-5 Table D-4: Control Action: “Actuate Switch to Enable ALC System” ...................................... D-6 Table D-5: Control Action: “Actuate Switch to Disable ALC System” ..................................... D-6 Table D-6: Control Action: “Resume Steering Control” ............................................................ D-7
-
D-2
Table D-1: Control Action: “Adjust Vehicle’s Lateral Position in the δ Direction” Context Variables (Adjust vehicle’s lateral position
in the δ direction) Guidewords for Assessing Whether the Control Action May Be Unsafe
Lateral Adjustm
ent Request
From Other
Vehicle Systems
Movement Relative to Reference Trajectory
Not provided in this context
Provided in this context
Provided, but
duration is too
long
Provided, but
duration is too short
Provided, but
the intensit
y is incorrec
t (too much)
Provided, but
the intensit
y is incorrec
t (too little)
Provided, but
executed
incorrectly
Provided, but
the starting time is
too soon
Provided, but
the starting time is too late
None
Direction of δ is away from the
reference trajectory
H2
Hazardous if
Provided
Hazardous if
Provided
Hazardous if
Provided
Hazardous if
Provided
Hazardous if
Provided
Hazardous if
Provided
Hazardous if
Provided
In the same
direction as δ
Direction of δ is away from the
reference trajectory
H5 H2
Hazardous if
Provided
Hazardous if
Provided
Hazardous if
Provided
Hazardous if
Provided
Hazardous if
Provided
Hazardous if
Provided
Hazardous if
Provided
In the opposite direction
of δ
Direction of δ is away from the
reference trajectory
H2, H5
Hazardous if
Provided
Hazardous if
Provided
Hazardous if
Provided
Hazardous if
Provided
Hazardous if
Provided
Hazardous if
Provided
Hazardous if
Provided
In both the
opposite and the same
direction as δ
Direction of δ is away from the
reference trajectory
H5 H2, H5
Hazardous if
Provided
Hazardous if
Provided
Hazardous if
Provided
Hazardous if
Provided
Hazardous if
Provided
Hazardous if
Provided
Hazardous if
Provided
None
Direction of δ is toward the reference trajectory
H1 H2 H1 H2 H1 H1, H2 H2 H1
In the same
direction as δ
Direction of δ is toward the reference trajectory
H1, H5 H2 H1 H2 H1 H1, H2, H5 H2 H1
In the opposite direction
of δ
Direction of δ is toward the reference trajectory
H1 H5
Hazardous if
Provided
Hazardous if
Provided
Hazardous if
Provided
Hazardous if
Provided
Hazardous if
Provided
Hazardous if
Provided
Hazardous if
Provided
-
D-3
Context Variables (Adjust vehicle’s lateral position
in the δ direction) Guidewords for Assessing Whether the Control Action May Be Unsafe
Lateral Adjustm
ent Request
From Other
Vehicle Systems
Movement Relative to Reference Trajectory
Not provided in this context
Provided in this context
Provided, but
duration is too
long
Provided, but
duration is too short
Provided, but
the intensit
y is incorrec
t (too much)
Provided, but
the intensit
y is incorrec
t (too little)
Provided, but
executed
incorrectly
Provided, but
the starting time is
too soon
Provided, but
the starting time is too late
In both the
opposite and the same
direction as δ
Direction of δ is toward the reference trajectory
H1, H5 H5
Hazardous if
Provided
Hazardous if
Provided
Hazardous if
Provided
Hazardous if
Provided
Hazardous if
Provided
Hazardous if
Provided
Hazardous if
Provided
STPA Vehicle Level Hazards: • H1: Potential Insufficient Lateral Adjustment That Results in Lane/Roadway Departure With ALC
Engaged • H2: Potential Excessive Lateral Adjustment That Results in Lane/Roadway Departure With ALC
Engaged • H5: ALC System Impedes Actions of Other Vehicle Systems
-
D-4
Table D-2: Control Action: “Disengage ALC System” Context Variables (Disengage
ALC system) Guidewords for Assessing Whether the Control Action May Be Unsafe
ALK/ALC
Operational State
Request from
Driver
ALK/ALC
Operational State Request
From Other
Vehicle Systems
Is Driver Paying
Attention to
Roadway
Not provided in this
context
Provided in this
context
Provided, but
duration is too
long
Provided, but
duration is too short
Provided, but
the intensit
y is incorrect (too much)
Provided, but
the intensit
y is incorrect (too little)
Provided, but
executed
incorrectly
Provided, but
the starting time is
too soon
Provided, but
the starting time is too late
Engage/None
Engage/ Resume/N
one No H6
Does not
apply
Does not
apply
Does not
apply
Does not
apply
Hazardous if
Provided
Does not
apply
Hazardous if Provid
ed
Disengage
Engage/ Resume/N
one No H4 H6
Does not
apply
Does not
apply
Does not
apply
Does not
apply
Hazardous if
Provided
Does not
apply
Hazardous if Provid
ed
Engage/None
Disengage/ Suspend No H5 H6
Does not
apply
Does not
apply
Does not
apply
Does not
apply
Hazardous if
Provided
Does not
apply
Hazardous if Provid
ed
Disengage
Disengage/ Suspend No
H4, H5 H6
Does not
apply
Does not
apply
Does not
apply
Does not
apply
Hazardous if
Provided
Does not
apply
Hazardous if Provid
ed
Engage/None
Engage/ Resume/N
one Yes H1, H3
Does not
apply
Does not
apply
Does not
apply
Does not
apply
Hazardous if
Provided
Does not
apply
Hazardous if Provid
ed
Disengage
Engage/ Resume/N
one Yes H4
Does not
apply
Does not
apply
Does not
apply
Does not
apply H4
Does not
apply H4
Engage/None
Disengage/ Suspend Yes H5 H1 H5
Does not
apply
Does not
apply H1, H5 H1 H5
Disengage
Disengage/ Suspend Yes
H4, H5
Does not
apply
Does not
apply
Does not
apply
Does not
apply H4, H5
Does not
apply H4, H5
STPA Vehicle Level Hazards: • H1: Potential Insufficient Lateral Adjustment That Results in Lane/Roadway Departure With ALC
Engaged • H4: Impeding Driver’s Ability to Control the Vehicle • H5: ALC System Impedes Actions of Other Vehicle Systems • H6: Absence of Lateral Control Input
-
D-5
Table D-3: Control Action: “Engage ALC System” Context Variables (Engage
ALC system) Guidewords for Assessing Whether the Control Action May Be Unsafe
ALK/ALC
Operational State
Request from
Driver
ALK/ALC
Operational State Request
From Other
Vehicle Systems
Is Driver Paying
Attention to
Roadway
Not provided in this
context
Provided in this
context
Provided, but
duration is too
long
Provided, but
duration is too short
Provided, but
the intensit
y is incorrect (too much)
Provided, but
the intensit
y is incorrect (too little)
Provided, but
executed
incorrectly
Provided, but
the starting time is
too soon
Provided, but
the starting time is too late
Engage Engage/ Resume No H4 Does not
apply
Does not
apply
Does not
apply
Does not
apply
Hazardous if
Provided
Does not
apply
Hazardous if
Provided
Disengage/ None
Engage/ Resume No H6
Does not
apply
Does not
apply
Does not
apply
Does not
apply H6
Does not
apply H6
Engage
Disengage/
Suspend/None
No H5 Does not
apply
Does not
apply
Does not
apply
Does not
apply H5
Does not
apply H5
Disengage/ None
Disengage/
Suspend/None
No H5, H6 Does not
apply
Does not
apply
Does not
apply
Does not
apply H5, H6
Does not
apply H5, H6
Engage Engage/ Resume Yes H4 Does not
apply
Does not
apply
Does not
apply
Does not
apply
Hazardous if
Provided
Does not
apply
Hazardous if
Provided
Disengage/ None
Engage/ Resume Yes H6
Does not
apply
Does not
apply
Does not
apply
Does not
apply H6
Does not
apply H6
Engage
Disengage/
Suspend/None
Yes H5 Does not
apply
Does not
apply
Does not
apply
Does not
apply H5
Does not
apply H5
Disengage/ None
Disengage/
Suspend/None
Yes H5, H6 Does not
apply
Does not
apply
Does not
apply
Does not
apply H5, H6
Does not
apply H5, H6
STPA Vehicle Level Hazards: • H1: Potential Insufficient Lateral Adjustment That Results in Lane/Roadway Departure With ALC
Engaged • H4: Impeding Driver’s Ability to Control the Vehicle • H5: ALC System Impedes Actions of Other Vehicle Systems • H6: Absence of Lateral Control Input
-
D-6
Table D-4: Control Action: “Actuate Switch to Enable ALC System” Context Variables (Actuate
Switch to Enable ALC System)
Guidewords for Assessing Whether the Control Action May Be Unsafe
ALC System Status Not provided in this
context
Provided in
this conte
xt
Provided, but
duration is too
long
Provided, but
duration is too short
Provided, but
the intensit
y is incorrec
t (too much)
Provided, but
the intensit
y is incorrec
t (too little)
Provided, but
executed
incorrectly
Provided, but
the starting time is
too soon
Provided, but
the starting time is too late
Enabled H6
Hazardous if
Provided
Hazardous if
Provided
Hazardous if
Provided
Hazardous if
Provided
Hazardous if
Provided
Hazardous if
Provided
Hazardous if
Provided
Disabled H6 H6 H6 H6 H6 H6 H6 H6 STPA Vehicle Level Hazards:
• H6: Absence of Lateral Control Input
Table D-5: Control Action: “Actuate Switch to Disable ALC System” Context Variables (Actuate
Switch to Disable ALC System)
Guidewords for Assessing Whether the Control Action May Be Unsafe
ALC System Status Not provided in this
context
Provided in
this conte
xt
Provided, but
duration is too
long
Provided, but
duration is too short
Provided, but
the intensit
y is incorrec
t (too much)
Provided, but
the intensit
y is incorrec
t (too little)
Provided, but
executed
incorrectly
Provided, but
the starting time is
too soon
Provided, but
the starting time is too late
Enabled H4 H4 H4 H4 H4 H4 H4 H4
Disabled H4
Hazardous if
Provided
Hazardous if
Provided
Hazardous if
Provided
Hazardous if
Provided
Hazardous if
Provided
Hazardous if
Provided
Hazardous if
Provided
STPA Vehicle Level Hazards: • H4: Impeding Driver’s Ability to Control the Vehicle
-
D-7
Table D-6: Control Action: “Resume Steering Control” Context Variables (Resume
Steering Control) Guidewords for Assessing Whether the Control Action May Be Unsafe
ALC System Status Not provided in this
context
Provided in this
context
Provided, but
duration is too
long
Provided, but
duration is too short
Provided, but
the intensit
y is incorrec
t (too much)
Provided, but
the intensit
y is incorrec
t (too little)
Provided, but
executed
incorrectly
Provided, but
the starting time is
too soon
Provided, but
the starting time is too late
Enabled Not
hazardous
Does not
apply
Does not
apply
Does not
apply
Does not
apply
Does not
apply
Does not
apply
Does not
apply
Disabled H6 Does not
apply
Does not
apply
Does not
apply
Does not
apply H6
Does not
apply H6
STPA Vehicle Level Hazards: • H4: Impeding Driver’s Ability to Control the Vehicle • H6: Absence of Lateral Control Input
-
E-1
STPA STEP 1: UCAS AND MAPPING TO HAZARDS
Table E-1: Unsafe Control Actions for the “Command Adjustment to Change Vehicle’s Lateral Position in the δ Direction” Control Action................................................................................. E-2 Table E-2: Unsafe Control Actions for the “Engage ALC System” Control Action................... E-4 Table E-3: Unsafe Control Actions for the “Disengage/Suspend ALC System” Control Action ............................................................................................................................. E-5 Table E-4: Unsafe Control Actions for the “Actuate Switch to Enable ALC System” Control Action ........................................................................................................................................... E-7 Table E-5: Unsafe Control Actions for the “Actuate Switch to Disable ALC System” Control Action ........................................................................................................................................... E-9 Table E-6: Unsafe Control Actions for the “Resume Steering” Control Action ....................... E-11
-
E-2
Table E-1: Unsafe Control Actions for the “Command Adjustment to Change Vehicle’s Lateral Position in the δ Direction” Control Action
Vehicle Level
Hazard
Unsafe Control Actions
(Command Adjustment to Change Vehicle’s Lateral Position in the δ Direction)
H5 The ALC controller does not command a lateral adjustment that changes the vehicle's lateral position in the δ direction when:
• Other vehicle systems request an adjustment in the vehicle's lateral position in the same direction as δ or in both the opposite direction and the same direction as δ.
H1 The ALC controller does not command a lateral adjustment that changes the vehicle's lateral position in the δ direction when:
• The direction of δ is toward the lane center.
H5 The ALC controller commands a lateral adjustment that changes the vehicle's lateral position in the δ direction when:
• Other vehicle systems request an adjustment in the vehicle's lateral position in the opposite direction of δ or in both the opposite direction and the same direction as δ.
H2 The ALC controller commands a lateral adjustment that changes the vehicle's lateral position in the δ direction when:
• The direction of δ is away from the lane center.
H1 The ALC controller commands a lateral adjustment that changes the vehicle's lateral position in the δ direction when:
• The direction of δ is toward the lane center, and • Other vehicle systems do not request an adjustment in the vehicle's lateral position or
request an adjustment in the vehicle's lateral position in the direction of δ,
but the lateral adjustment is commanded for too short of a period.
H2 The ALC controller commands a lateral adjustment that changes the vehicle's lateral position in the δ direction when:
• The direction of δ is toward the lane center, and • Other vehicle systems do not request an adjustment in the vehicle's lateral position or
request an adjustment in the vehicle's lateral position in the direction of δ,
but the lateral adjustment is commanded for too long.
H1, H2, H5
The ALC controller correctly commands a lateral adjustment that changes the vehicle's lateral position in the δ direction, but the command is executed incorrectly.
-
E-3
Vehicle Level
Hazard
Unsafe Control Actions
(Command Adjustment to Change Vehicle’s Lateral Position in the δ Direction)
H1 The ALC controller commands a lateral adjustment that changes the vehicle's lateral position in the δ direction when:
• The direction of δ is toward the lane center, and • Other vehicle systems do not request an adjustment in the vehicle's lateral position or
request an adjustment in the vehicle's lateral position in the direction of δ,
but the amount of lateral adjustment commanded is too little (e.g., too little torque overlay is requested).
H2 The ALC controller commands a lateral adjustment that changes the vehicle's lateral position in the δ direction when:
• The direction of δ is toward the lane center, and • Other vehicle systems do not request an adjustment in the vehicle's lateral position or
request an adjustment in the vehicle's lateral position in the direction of δ,
but amount of lateral adjustment commanded is too much (e.g., too much torque overlay is requested).
H1 The ALC controller commands a lateral adjustment that changes the vehicle's lateral position in the δ direction when:
• The direction of δ is toward the lane center, and • Other vehicle systems do not request an adjustment in the vehicle's lateral position or
request an adjustment in the vehicle's lateral position in the direction of δ,
but the command is issued too late.
H5 The ALC controller commands a lateral adjustment that changes the vehicle's lateral position in the δ direction when:
• The direction of δ is toward the lane center, and • Other vehicle systems request an adjustment in the vehicle's lateral position in the direction
of δ,
but the command is issued too soon.
STPA Vehicle Level Hazards: • H1: Insufficient Lateral Adjustment That Results in Lane/Roadway Departure With ALC Engaged • H2: Excessive Lateral Adjustment That Results in Lane/Roadway Departure With ALC Engaged • H5: ALC System Impedes Action by Other Vehicle Systems
-
E-4
Table E-2: Unsafe Control Actions for the “Engage ALC System” Control Action Vehicle Level
Hazard
Unsafe Control Actions
(Engage ALC System)
H5 The ALC system does not issue the command to engage when:
• Other vehicle systems request that the ALC system engage.
H6 The ALC system does not issue the command to engage when:
• The driver requests that the ALC system engage.
H4 The ALC system issues the command to engage when:
• The driver does not request that the ALC system engage, and • Other vehicle systems do not request that the ALC system engage.
H5, H6 The ALC system correctly issues the command to engage, but the command is executed incorrectly.
H5 The ALC system issues the command to engage when:
• Other vehicle systems request that the ALC system engage,
but the command is issued too late.
H6 The ALC system issues the command to engage when:
• The driver requests that the ALC system engage,
but the command is issued too late.
STPA Vehicle Level Hazards: • H4: Impeding the Driver’s Ability to Control the Vehicle • H5: ALC System Impedes Action by Other Vehicle Systems • H6: Absence of Lateral Control Input
-
E-5
Table E-3: Unsafe Control Actions for the “Disengage/Suspend ALC System” Control Action Vehicle Level
Hazard
Unsafe Control Actions
(Disengage/Suspend ALC System)
H5 The ALC system does not issue the command to disengage or suspend operation when:
• Other vehicle systems request that the ALC system disengage or suspend.
H4 The ALC system does not issue the command to disengage or suspend operation when:
• The driver requests that the ALC system disengage.
H6 The ALC system issues the command to disengage or suspend operation when:
• The driver is not paying attention.
H1, H3 The ALC system issues the command to disengage or suspend operation when:
• The driver does not request the ALC system to disengage, • Other vehicle systems do not request that the ALC system disengage or suspend, and • The driver is paying attention.
H1 The ALC system issues the command to disengage or suspend operation when:
• The driver does not request the ALC system to disengage, • Other vehicle systems request that the ALC system disengage or suspend, and • The driver is paying attention,
but the ALC system remains disengaged for too long (i.e., suspends for too long).
H5 The ALC system issues the command to disengage or suspend operation when:
• The driver does not request the ALC system to disengage, • Other vehicle systems request that the ALC system disengage or suspend, and • The driver is paying attention,
but the ALC system remains disengaged for too short of a period (i.e., suspends for too short).
H1, H4, H5, H6
The ALC system correctly issues the command to disengage or suspend operation, but the command is executed incorrectly.
H4 The ALC system issues the command to disengage or suspend operation when:
• The driver requests the ALC system to disengage, and • The driver is paying attention,
but the ALC system disengages too late.
-
E-6
Vehicle Level
Hazard
Unsafe Control Actions
(Disengage/Suspend ALC System)
H5 The ALC system issues the command to disengage or suspend operation when:
• Other vehicle systems request that the ALC system disengage or suspend, and • The driver is paying attention,
but the ALC system disengages too late.
H1 The ALC system issues the command to disengage or suspend operation when:
• The driver does not request the ALC system to disengage, • Other vehicle systems request that the ALC system disengage or suspend, and • The driver is paying attention,
but the command is issued too soon.
STPA Vehicle Level Hazards: • H1: Insufficient Lateral Adjustment That Results in Lane/Roadway Departure With ALC Engaged • H4: Impeding the Driver’s Ability to Control the Vehicle • H5: ALC System Impedes Action by Other Vehicle Systems • H6: Absence of Lateral Control Input
-
E-7
Table E-4: Unsafe Control Actions for the “Actuate Switch to Enable ALC System” Control Action
Vehicle Level
Hazard
Unsafe Control Actions
(Actuate Switch to Enable ALC System)
H6 The driver does not actuate the switch to enable lateral motion automation when:
• The ALC system is disabled.
H6 The driver actuates the switch to enable lateral motion automation when:
• The ALC system is already enabled.
H6 The driver actuates the switch to enable lateral motion automation when:
• The ALC system is disabled,
but the button is pressed for too long.
H6 The driver actuates the switch to enable lateral motion automation when:
• The ALC system is disabled,
but the button is pressed for too short a period.
H6 The driver correctly actuates the switch to enable lateral motion automation, but the command is executed incorrectly.
H6 The driver actuates the switch to enable lateral motion automation when:
• The ALC system is disabled,
but the button is pressed with too much force.
H6 The driver actuates the switch to enable lateral motion automation when:
• The ALC system is disabled,
but the button is pressed with too little force.
H6 The driver actuates the switch to enable lateral motion automation when:
• The ALC system is disabled,
but the switch is actuated too late.
-
E-8
Vehicle Level
Hazard
Unsafe Control Actions
(Actuate Switch to Enable ALC System)
H6 The driver actuates the switch to enable lateral motion automation when:
• The ALC system is disabled,
but the switch is actuated too soon.
STPA Vehicle Level Hazards: • H6: Absence of Lateral Control Input
-
E-9
Table E-5: Unsafe Control Actions for the “Actuate Switch to Disable ALC System” Control Action
Vehicle Level
Hazard
Unsafe Control Actions
(Actuate Switch to Disable ALC System)
H4 The driver does not actuate the switch to disable lateral motion automation when:
• The ALC system is enabled.
H4 The driver actuates the switch to disable lateral motion automation when:
• The ALC status is already disabled.
H4 The driver actuates the switch to disable lateral motion automation when:
• The ALC system is enabled,
but the button is pressed for too short a period.
H4 The driver actuates the switch to disable lateral motion automation when:
• The ALC system is enabled,
but the button is pressed for too long.
H4 The driver correctly actuates the switch to disable lateral motion automation, but the command is executed incorrectly.
H4 The driver actuates the switch to disable lateral motion automation when:
• The ALC system is enabled,
but the button is pressed with too little force.
H4 The driver actuates the switch to disable lateral motion automation when:
• The ALC system is enabled,
but the button is pressed with too much force.
H4 The driver actuates the switch to disable lateral motion automation when:
• The ALC system is enabled,
but the command is pressed too soon.
-
E-10
Vehicle Level
Hazard
Unsafe Control Actions
(Actuate Switch to Disable ALC System)
H4 The driver actuates the switch to disable lateral motion automation when:
• The ALC system is enabled,
but the command is pressed too late.
STPA Vehicle Level Hazards: • H6: Absence of Lateral Control Input
-
E-11
Table E-6: Unsafe Control Actions for the “Resume Steering” Control Action Vehicle Level
Hazard
Unsafe Control Actions
(Actuate Switch to Disable ALC System)
H6 The driver does not resume steering when:
• The ALC system is disabled.
H6 The driver correctly decides to resumes steering, but the command is executed incorrectly.
H6 The driver resumes steering when:
• The ALC system is disabled,
but the driver resumes steering too late.
STPA Vehicle Level Hazards: • H6: Absence of Lateral Control Input
-
F-1
OPERATIONAL SITUATIONS
1. Driving at low speed (< 40 kph) on an arterial interstate (i.e., limited access) highway. The driver is not executing a maneuver.
2. Driving at low speed (< 40 kph) on an arterial interstate (i.e., limited access) highway. The driver is executing a maneuver.
3. Driving at low speed (< 40 kph) on a divided arterial highway. The driver is not executing a maneuver.
4. Driving at low speed (< 40 kph) on a divided arterial highway. The driver is executing a maneuver.
5. Driving at low speed (< 40 kph) on an undivided arterial highway with no pedestrians present. The driver is not executing a maneuver.
6. Driving at low speed (< 40 kph) on an undivided arterial highway with no pedestrians present. The driver is executing a maneuver.
7. Driving at low speed (< 40 kph) on an undivided arterial highway with pedestrians present. The driver is not executing a maneuver.
8. Driving at low speed (< 40 kph) on an undivided arterial highway with pedestrians present. The driver is executing a maneuver.
9. Driving at low speed (< 40 kph) on a divided collector highway with no pedestrians present. The driver is not executing a maneuver.
10. Driving at low speed (< 40 kph) on a divided collector highway with no pedestrians present. The driver is executing a maneuver.
11. Driving at low speed (< 40 kph) on a divided collector highway with pedestrians present. The driver is not executing a maneuver.
12. Driving at low speed (< 40 kph) on a divided collector highway with pedestrians present. The driver is executing a maneuver.
13. Driving at low speed (< 40 kph) on an undivided collector highway with pedestrians present. The driver is not executing a maneuver.
14. Driving at low speed (< 40 kph) on an undivided collector highway with pedestrians present. The driver is executing a maneuver.
15. Driving at low speed (< 40 kph) on a local road with pedestrians present. The driver is not executing a maneuver.
16. Driving at low speed (< 40 kph) on a local road with pedestrians present. The driver is executing a maneuver.
17. Driving at medium speed (40 kph < V < 100 kph) on an arterial interstate (i.e., limited access) highway. The driver is not executing a maneuver.
18. Driving at medium speed (40 kph < V < 100 kph) on an arterial interstate (i.e., limited access) highway. The driver is executing a maneuver.
19. Driving at medium speed (40 kph < V < 100 kph) on a divided arterial highway. The driver is not executing a maneuver.
-
F-2
20. Driving at medium speed (40 kph < V < 100 kph) on a divided arterial highway. The driver is executing a maneuver.
21. Driving at medium speed (40 kph < V < 100 kph) on an undivided arterial highway with no pedestrians present. The driver is not executing a maneuver.
22. Driving at medium speed (40 kph < V < 100 kph) on an undivided arterial highway with no pedestrians present. The driver is executing a maneuver.
23. Driving at medium speed (40 kph < V < 100 kph) on an undivided arterial highway with pedestrians present. The driver is not executing a maneuver.
24. Driving at medium speed (40 kph < V < 100 kph) on an undivided arterial highway with pedestrians present. The driver is executing a maneuver.
25. Driving at medium speed (40 kph < V < 100 kph) on a divided collector highway with no pedestrians present. The driver is not executing a maneuver.
26. Driving at medium speed (40 kph < V < 100 kph) on a divided collector highway with no pedestrians present. The driver is executing a maneuver.
27. Driving at medium speed (40 kph < V < 100 kph) on a divided collector highway with pedestrians present. The driver is not executing a maneuver.
28. Driving at medium speed (40 kph < V < 100 kph) on a divided collector highway with pedestrians present. The driver is executing a maneuver.
29. Driving at medium speed (40 kph < V < 100 kph) on an undivided collector highway with pedestrians present. The driver is not executing a maneuver.
30. Driving at medium speed (40 kph < V < 100 kph) on an undivided collector highway with pedestrians present. The driver is executing a maneuver.
31. Driving at medium speed (40 kph < V < 100 kph) on a local road with pedestrians present. The driver is not executing a maneuver.
32. Driving at medium speed (40 kph < V < 100 kph) on a local road with pedestrians present. The driver is executing a maneuver.
33. Driving at high speed (100 kph < V < 130 kph) on an arterial interstate (i.e., limited access) highway. The driver is not executing a maneuver.
34. Driving at high speed (100 kph < V < 130 kph) on an arterial interstate (i.e., limited access) highway. The driver is executing a maneuver.
35. Driving at high speed (100 kph < V < 130 kph) on a divided arterial highway. The driver is not executing a maneuver.
36. Driving at high speed (100 kph < V < 130 kph) on a divided arterial highway. The driver is executing a maneuver.
37. Driving at high speed (100 kph < V < 130 kph) on an undivided arterial highway with no pedestrians present. The driver is not executing a maneuver.
38. Driving at high speed (100 kph < V < 130 kph) on an undivided arterial highway with no pedestrians present. The driver is executing a maneuver.
39. Driving at high speed (100 kph < V < 130 kph) on a divided collector highway. The driver is not executing a maneuver.
-
F-3
40. Driving at high speed (100 kph < V < 130 kph) on a divided collector highway. The driver is executing a maneuver.
41. Driving at high speed (100 kph < V < 130 kph) on an undivided collector highway with no pedestrians present. The driver is not executing a maneuver.
42. Driving at high speed (100 kph < V < 130 kph) on an undivided collector highway with no pedestrians present. The driver is executing a maneuver.
43. Driving at very high speed (V > 130 kph) on an arterial interstate (i.e., limited access) highway. The driver is not executing a maneuver.
44. Driving at very high speed (V > 130 kph) on an arterial interstate (i.e., limited access) highway. The driver is executing a maneuver.
45. Driving at very high speed (V > 130 kph) on a divided arterial highway. The driver is not executing a maneuver.
46. Driving at very high speed (V > 130 kph) on a divided arterial highway. The driver is executing a maneuver.
47. Driving at very high speed (V > 130 kph) on an undivided arterial highway with no pedestrians present. The driver is not executing a maneuver.
48. Driving at very high speed (V > 130 kph) on an undivided arterial highway with no pedestrians present. The driver is executing a maneuver.
-
G-1
ASIL ASSESSMENT
Table G-1: Insufficient Lateral Adjustment That Results in Lane/Roadway Departure With ALC Engaged (NHTSA Level 1 Automation) .................................................................................... G-3 Table G-2: Excessive Lateral Adjustment That Results in Lane/Roadway Departure With ALC Engaged (NHTSA Level 1 Automation) .................................................................................... G-8 Table G-3: Unintended Loss of ALC System (NHTSA Level 1 Automation) ......................... G-13 Table G-4: Improper Transition of Control Between the Driver and ALC System (NHTSA Level 1 Automation) ........................................................................................................................... G-18 Table G-5: ALC System Interferes With Operation of Other Vehicle Features/Systems (NHTSA Level 1 Automation) ................................................................................................................. G-23 Table G-6: Insufficient Lateral Adjustment That Results in Lane/Roadway Departure With ALC Engaged (NHTSA Level 2 Automation, With the Driver Engaged) ........................................ G-28 Table G-7: Excessive Lateral Adjustment That Results in Lane/Roadway Departure With ALC Engaged (NHTSA Level 2 Automation, With the Driver Engaged) ........................................ G-33 Table G-8: Unintended Loss of ALC System (NHTSA Level 2 Automation, With the Driver Engaged) ................................................................................................................................... G-38 Table G-9: Improper Transition of Control Between the Driver and ALC System (NHTSA Level 2 Automation, With the Driver Engaged) ................................................................................. G-43 Table G-10: ALC System Interferes With Operation of Other Vehicle Features/Systems (NHTSA Level 2 Automation, With the Driver Engaged) ....................................................... G-48 Table G-11: Passive Lane/Roadway Departure While the ALC System Is Engaged (NHTSA Level 2 Automation, With the Driver Not Engaged) ................................................................ G-53 Table G-12: Active Lane/Roadway Departure While the ALC System Is Engaged (NHTSA Level 2 Automation, With the Driver Not Engaged) ................................................................ G-58 Table G-13: Unexpected Loss of ALC System (NHTSA Level 2 Automation, With the Driver Not Engaged) ............................................................................................................................ G-63 Table G-14: Improper Transition of Control Between the Driver and ALC System (NHTSA Level 2 Automation, With the Driver Not Engaged) ................................................................ G-68 Table G-15: ALC System Interferes With Operation of Other Vehicle Features/Systems (NHTSA Level 2 Automation, With the Driver Not Engaged) ................................................ G-73 Table G-16: Passive Lane/Roadway Departure While the ALC System Is Engaged (NHTSA Level 3) ..................................................................................................................................... G-78 Table G-17: Active Lane/Roadway Departure While the ALC System Is Engaged (NHTSA Level 3) ..................................................................................................................................... G-83 Table G-18: Unexpected Loss of ALC System (NHTSA Level 3) .......................................... G-88 Table G-19: Improper Transition of Control Between the Driver and ALC System (NHTSA Level 3) ................................................................................................